Transparent Tribe (APT36) is a threat actor historically focused on Indian government and defense targets. Recently, they have expanded their operations to target India's startup ecosystem, with a particular emphasis on cybersecurity startups. This shift suggests a strategic intent to infiltrate companies that provide open-source intelligence (OSINT) services and collaborate with law enforcement, potentially to gather intelligence or disrupt these emerging sectors. The attack vector involves spear-phishing emails that lure victims with startup-themed content. These emails deliver ISO container files, which are used to bypass some email security filters and entice users to open them. Inside these ISO files are malicious LNK shortcut files and batch scripts that execute the Crimson RAT payload. Crimson RAT is a remote access Trojan known for its stealth and persistence capabilities. The malware uses extensive obfuscation techniques to evade detection and employs a custom TCP protocol for command and control (C2) communications, complicating network-based detection. The attack chain leverages multiple MITRE ATT&CK techniques such as T1566 (spear-phishing), T1204 (user execution), T1059.003 (batch scripting), and T1571 (non-standard port communication). The campaign demonstrates APT36's ability to adapt their tooling and tactics to new victim profiles while maintaining core operational behaviors. No public CVE or patch information is available, and there are no known exploits in the wild beyond this targeted campaign. Indicators of compromise include specific file hashes, an IP address (93.127.133.9), and a malicious domain (sharmaxme11.org).

For European organizations, the direct impact of this threat is currently limited due to the primary geographic focus on Indian startups. However, European cybersecurity startups, OSINT providers, or companies collaborating with Indian entities could be at risk, especially if they share infrastructure or communication channels. Successful compromise could lead to unauthorized access, data exfiltration, intellectual property theft, and potential disruption of services. Given the use of sophisticated obfuscation and custom C2 protocols, detection and response efforts may be challenging, increasing the risk of prolonged undetected intrusions. Additionally, the targeting of startups in cybersecurity and OSINT domains could have broader implications for European organizations relying on these services or engaged in joint law enforcement collaborations. The medium severity reflects the targeted nature and complexity of the attack, which requires user interaction and specific lure themes, limiting widespread impact but posing significant risk to affected entities.

European organizations, particularly those with ties to Indian startups or operating in cybersecurity and OSINT sectors, should implement targeted defenses against spear-phishing and malware delivery via ISO files. Specific recommendations include: 1) Enhance email filtering to detect and quarantine ISO container files and suspicious LNK files; 2) Deploy endpoint detection and response (EDR) solutions capable of identifying obfuscated scripts and unusual batch file executions; 3) Monitor network traffic for anomalous TCP connections, especially those using non-standard ports or custom protocols; 4) Conduct user awareness training focused on recognizing spear-phishing attempts and the risks of opening ISO attachments; 5) Implement strict application whitelisting to prevent execution of unauthorized scripts and payloads; 6) Regularly update and audit security controls related to remote access tools and monitor for known Crimson RAT indicators; 7) Share threat intelligence with relevant European and Indian cybersecurity communities to stay informed of evolving tactics; 8) Employ multi-factor authentication and least privilege principles to limit lateral movement if a compromise occurs. These measures go beyond generic advice by focusing on the specific attack vectors and malware behaviors observed in this campaign.